The Dutch, the Yanks, the Cloud and YOU

Recently a research project by the Amsterdam University [PDF Alert] revealed that US law allows for the US government to access information stored in the Cloud, by (ab)using the PATRIOT act. Multiple Dutch politicians have started asking questions from state secretary Teeven of the Justice Department as to whether he knew about this before the research project, and whether he did anything to prevent this or to warn Dutch citizens about this potential breach of privacy. He has since sent in an official answer.

Unsurprisingly, he confirms that the issue is real, but does not answer the question about whether he knew about this beforehand. He goes on to say that it is up to each individual to be careful with any information they publish online, be it to a cloud-based service or anywhere else. What surprises me, is that people still don’t seem to understand what the Cloud is, what it does and how it works. The effects of the PATRIOT act have long been known, and its effects have been hotly debated for years. How is this any surprise to anyone?

Please follow this logic:

The Cloud is the Internet. It really is that simple. Cloud Services are simply applications that run on clustered computer systems. Maybe on two, ten, a hundred or a thousand systems at a time, it doesn’t matter. Users –and data- are replicated to every system in this cloud regardless of where they are. There could be ten in your own country, twenty in the US and another fifty in Russia.

This is (most often) invisible to the end user, and very often special effort is made to keep it this way, and to make it one big system regardless of what server you are connecting to, or from what location. To be on the safe side, you should assume that regardless of where you are located when you upload data, it is uploaded to the entire grid – not just the part in your country.

And it matters where these systems are located geographically, because that is the only factor in the question as to what country’s laws this system –and more importantly the data on that system- is subject to. For example: Google has servers dedicated to Google Docs in a lot of countries such as the Netherlands, Germany, Britain, the US and probably several countries in Asia.

You upload a document to Google Docs while in the Netherlands. As soon as you do, it is replicated to either all the systems all over the globe, or replicated between central data storage sites all over the globe. It is generally safe to assume that your data will be everywhere, regardless of where you are. ANY country that has Google servers for Google Docs within its borders can in theory –this depends on what laws exist in said country- demand access to this data.

The US is almost certainly not the only government that can do this, but even if no other country has such laws, you can rest assured that if the need ever arises (from a national security standpoint) to access your data, things tend to get very ‘flexible’ on very short notice in most countries. Therefore you should assume that you can not trust any online service with your data, regardless of its classification or nature.

As has always been the case, in the end you –and only you- remain the only person responsible for what happens to your data. If you absolutely do not want it leaked, don’t put it on the Internet.

About the Author:Don Eijndhoven writes articles on the state of Cyber Warfare and related topics, and can often be found speaking at various conferences. His articles have been published in places such as InfosecIsland.com, ICTTF.org, ITGRCForum.com, PenTest Magazine, PvIB Magazine and a variety of other magazines and websites. Don is an independent security researcher and entrepreneur and the founder of the Dutch Cyber Warfare Community, a platform for all people working in the Cyber Warfare industry in the Netherlands, and a founding board member of the Netherlands Cyber Doctrine Institute (NCDI). The NCDI is a foundation that aims to assist the Dutch Ministry of Defence with writing proper cyber doctrine. He is also the CEO of Argent Consulting, a Dutch firm that offers a full range of services in all areas of Cyber. He holds a Bachelor in Computer Science and is currently working on his MBA at Nyenrode Business University.

Editor's Note: The views expressed in this article are the opinions of the author. Security Bistro is not responsible for the article's content or messaging.